SIM Swap Scam Leads to $125,000 Theft

(MUSIC INTRO)

[00:00:02] Bob: This week on The Perfect Scam.

[00:00:04] Patricia Escriva: So the police is like, "Ma'am, your phone is in your hands." I said, "Officer, they stole my phone number, not my device." That's when his, his jaw dropped. He's like, "What do you mean?"

(MUSIC SEGUE)

[00:00:21] Bob: Welcome back to The Perfect Scam. I'm your host, Bob Sullivan.

(MUSIC SEGUE)

[00:00:25] Bob: Like it or not, for most of us, our cellphones are the key to our digital lives right now. We need them to log into our bank accounts; we need them for directions. Heck, we even need them just to buy things sometimes. We really depend on these little things. Remember how terrible it felt the last time you thought you lost your phone, even for just a moment? That's why I think this episode is so important. Criminals can steal your phone, we call know that, but did you know criminals can steal your phone number, even if you have your phone in your hands. And that, well that can be the same thing as stealing your whole financial life. We'll explain how today and with some help, we'll explain what you can do to protect yourself. But I'll say it again now, because it's so, so important. Add to the list of all the other emergency plans in your life like what do to if there's a fire or an accident, you should have a plan for what to do if you suddenly don't have access to your mobile phone, for any reason. Now, we want you to meet a woman who did, in fact, have her phone number stolen, had a whole digital life stolen, and there were real-life consequences.

[00:01:35] Patricia Escriva: Okay, my name is Patricia Escriva. And I am in Coconut Creek, which is in Broward County.

[00:01:42] Bob: And uh, what's the nearest big city to you?

[00:01:46] Patricia Escriva: Fort Lauderdale and Boca; I'm between both.

[00:01:49] Bob: Oh, okay. Got it. How long you been there?

[00:01:51] Patricia Escriva: 30 years.

[00:01:52] Bob: 30 years. That's a long time. So you're practically a native.

[00:01:56] Patricia Escriva: Yes, I bought in 1995.

[00:02:00] Bob: Patricia began her life as a ballet dancer, and then became a teacher.

[00:02:06] Patricia Escriva: I started dancing ballet when I was 7 years old, and I quit when I was about 32 or so.

[00:02:13] Bob: Bal--, ballet's very hard on the body, isn't it?

[00:02:15] Patricia Escriva: Oh you kidding me? Now I'm paying for it. I have um, lower back pain, but, you know, when you're young, you don't think about anything, you're just young and you do, and I was very elastic. So I was um, I don't know if you know a little bit of ballet, but Balanchine, you were (inaudible) that a lot of people like me, like long arms, long legs; I'm very flexible. So they, dancers, were doing with me whatever they wanted because I was able to do it, yes.

[00:02:43] Bob: Wow, and you did that from age 7 to age 32? That's a long time.

[00:02:48] Patricia Escriva: I danced, I started in Venezuela, then I came here in '87 to dance with, in Florida, and then I finally ended in Boston.

[00:02:59] Bob: Well what did you do when you retired from dancing?

[00:03:02] Patricia Escriva: Well I became a preschool teacher which I worked a little bit, just a couple of years because it's too much work. I love kids, but the money, uh-uh. So I became a swimming instructor, and I also now work part-time like kids, they need help with homework and stuff like that.

[00:03:25] Bob: And of all the life skills that prepared Patricia for her dark encounter with criminals and our fragile banking systems, well I mean being flexible certainly helped, but working with little kids probably did the most good.

[00:03:39] Bob: Dealing with the banks is a little bit like dealing with a bunch of 3- or 4-year-olds, right?

[00:03:43] Patricia Escriva: You go it, because you're talking to them, they were looking at me like, what are you talking about?

[00:03:48] Bob: What are we talking about? We're talking about the night that the nightmare began. Patricia is a neighbor's house babysitting.

[00:03:58] Patricia Escriva: Yes. This is my best friend's stepson. He has autism and he, the only person he will stay with is me, so I say, not a problem. We're neighbors. I walk to her house. They left, and I brought games. So we started playing games, and I'm not a, a phone person. You know, I'm not like 24/7 on my phone. So I put my phone away and we play. Thanks to my Lord, he said, "Patricia, I want to take a shower." I said, "Okay, baby, I'll be in the living room then." So then I grab my phone and I realized I have nothing; no tags, no um, WhatsApp, nothing.

[00:04:40] Bob: Patricia's phone appears to be just dead. Nothing seems to work. She has no network connections, and the phone has no heartbeat, she tells me.

[00:04:51] Patricia Escriva: And that catch my attention, so when he came out of the shower I said, "Can you get me the wi-fi, because it's kind of weird that I have nothing on my phone." Sure enough, as soon as he, he put the, the wi-fi into my phone, (sound effects) brrring, you know everything, like what's..., WhatsApp, emails you name it.

[00:05:14] Bob: Now on wi-fi, her phone comes to life and well at first there's a trickle of notices that come in over email.

[00:05:23] Patricia Escriva: And it catch my attention that there was two alerts from Chase Bank. The first one was, "You add a new device into your account." And I'm like no way because I'm here and my husband was sick as a dog at home. But then a second later it's like, "You changed your password." Then I panic. When I tried to call him, my phone says, "You have no network."

[00:05:53] Bob: Patricia's bank has sent two notices; one about a new device, one about a new password, and that's scary enough, but when she tried to call her sick husband and ask him what's going on, well she still has no cell service, so she can't make a call. So she has to leap into action. She tells her friend's stepson...

[00:06:12] Patricia Escriva: "Get your shoes on. We're outta here." And thank God it's, like I told you, it's like walk distance, so we ran into my house.

[00:06:20] Bob: But running home isn't the only reason Patricia's heart is racing.

[00:06:25] Patricia Escriva: Well I was almost having a heart attack, because I'm like, I know it wasn't me. I knew it wasn't my husband. Nobody else is into our account. I yell at this poor kid, I said, "Get your shoes on and we're..." I don't even know how fast or how slow, my world was kind of like slow motion, you know.

[00:06:44] Bob: But nothing is slow motion when they go flying through the front door.

[00:06:48] Patricia Escriva: As soon as I opened the door my husband was sleeping on the sofa. I started yelling at him, poor thing. He's like, getting up and sounds like, looking like, you know like that chicken with no head. And I said, "Oh my God, somebody is into our account."

[00:07:03] Bob: And when she finally starts really going through her emails, well the full extent of what has happened becomes obvious. The trickle of scary notices has now become a flood.

[00:07:14] Patricia Escriva: Emails was coming in like Nordstrom $1500, UberEATS 800. 1000. Brring... you name it. I went nuts.

[00:07:24] Bob: And she rouses her sick husband and says...

[00:07:28] Patricia Escriva: "Oh my God, they stealing our money, they stole it, our credit cards." And that poor guy, sick as, as a dog running around, didn't know what to do.

[00:07:37] Bob: Someone is stealing from them as they sit there looking at their email. Patricia knows she has to call someone ASAP, even though it's night-time, but...

[00:07:47] Patricia Escriva: So I grabbed his phone and uh I said, I see that it was no network either. I'm telling you, we almost died, both of us almost died.

[00:07:58] Bob: Both their phones are disconnected. And money's being stolen. A lot of money. It's an incredibly helpless feeling, so Patricia runs next door to a different neighbor's house to borrow a phone. But when Patricia finally reaches an operator at her provider, the mystery only deepens. She's told that her phone number has been changed to a totally different cellphone provider.

[00:08:21] Patricia Escriva: And as soon as I started talking to them, they told me like, "Oh, I'm sorry. You changed your numbers..." I'm like, "Ma'am, no I did not. Something is not right here, and they started, you know, using my, my accounts, my credit cards." So I know I wasn't going to go nowhere with them.

[00:08:42] Bob: And there's another problem.

[00:08:45] Bob: At that point also you had to take your friend's child with you and so when she came home, she couldn't find you guys, right?

[00:08:51] Patricia Escriva: Because I didn't even call her, listen we're going, we're in this problem. I wasn't even thinking, but he was, he's 12, so he was next to me.

[00:09:00] Bob: Fortunately, his mom doesn't panic and comes looking for them at Patricia's house. And she actually is able to help.

[00:09:06] Patricia Escriva: She was coming, like, "Hey guys, where you, you know, I was wondering where you are." And she saw my face. I started crying. And she's like, "Oh my God. Listen, run into my house and let me bring a phone to Nelson, and we got to got the Coconut Creek police department."

[00:09:20] Bob: But there was, there was even that moment where she was worried about what had happened to you, right?

[00:09:24] Patricia Escriva: Exactly.

[00:09:25] Bob: Yeah, yeah. You know I just, there's so many consequences when something like this happens, you know.

[00:09:29] Patricia Escriva: Exactly, uh-huh.

[00:09:31] Bob: Why would someone change her phone number? Whatever is going on, Patricia knows there's a crime going on. Hackers have even started to use their PayPal account at this point. So Patricia leaves the child with her husband and heads with her friend to the police department where she tries to explain that her phone has been stolen.

[00:09:51] Patricia Escriva: They have no clue what I was saying because I had my phone in my hands, so the police is like, "Ma'am, your phone is in your hands." I said, "Officer, they stole my phone number, not my device." That's when his, his jaw dropped. He's like, "What do you mean?" And I'm like, "Exactly. My phone number." So he goes, "Let me call a partner and, um, and let me, let meet you at your house." So we're talking about it was already 9 o'clock...

[00:10:21] Bob: When the cops get to her house, Patricia is trying to make sense out of everything that's happened with her bank, and well the frustration reaches a boiling point.

[00:10:31] Bob: They want to authenticate you by sending a text, and of course, you can't get a text, but they don't understand that. Is that, is that right?

[00:10:38] Patricia Escriva: Exactly, that's what she was saying. "In order for me to froze your account Miss Patricia Escriva, I'm going to send you a text." And I'm like, "What is the part that you don't understand?"

[00:10:50] Bob: Of course. The fraud department wants to verify her with an SMS, but she can't receive an SMS text.

[00:10:58] Bob: I can't think of anything more frustrating than being on the phone with a bank saying, "Someone's stealing my money!" And them saying, "Well, we have to send you a text." That seems awful.

[00:11:07] Patricia Escriva: Awful, completely. Completely.

[00:11:11] Bob: With the police now listening in on this crazy conversation, the extent of the mess starts to dawn on Patricia. The criminals have access to all her financial accounts, even her brokerage accounts, their retirement. And yet, she's told by the fraud department...

[00:11:28] Patricia Escriva: "The only thing I'm allowed to do at the moment is stop your credit cards." And I'm like, what are you talking about? We were talking Spanish, right? And I had the officer next to me, and I said, "Listen, you're going to have to switch to English because I cannot believe what you're saying, and I want the law, which is the police officer listening to you, because it doesn't make any sense. Banks should have 24/7 customer service. So the police is like, "What are you talking about? This, you know, I'm the law..." blah-blah-blah. Nothing. She just stopped the, she just stopped the credit cards, that was it.

[00:12:06] Bob: Meanwhile, the police officers are there to witness some of the theft in real time.

[00:12:11] Patricia Escriva: One of them was with me and in the kitchen, the other one was with my husband in his office. And for whatever reason, because we had the wi-fi at home, he was able to kind of see some stuff because they already changed, remember, they already changed the password to our bank accounts. They were seeing uh, money coming out of the account, because what they were doing, they were using our credit cards, and they were using the money from PayPal which was credit to pay off the credit cards in order to continue using the credit cards. So the police officer told my husband, "Transfer that money, transfer that money." I mean it was nuts.

[00:12:49] Bob: I mean you must be sweating at this point. You know it's a race against time, right?

[00:12:52] Patricia Escriva: Oh, my God, are you kidding me? We were like, stop that!

[00:12:56] Bob: So they do all they can that night, but eventually the cops leave, and they have to endure a sleepless night until they can get to a bank branch the next morning when... the worst-case scenario seems to have happened.

[00:13:09] Patricia Escriva: Finally, 9 o'clock, and we were right by the bank as soon as they opened, I started yelling, "Oh my God, this is what's happening to us. Please stop right now going to our account..." blah-blah-blah-blah. As soon as, Bob, they opened our accounts, this is crazy, but it happened. These people were able to sold our stocks.

[00:13:32] Bob: Wow!

[00:13:33] Patricia Escriva: They were able to sell our stocks. They already have money into our checking account, and if you wait a little bit longer, they cash out that money and you're done, you're history. Nobody will replace that money.

[00:13:46] Bob: Yeah, how much money was that?

[00:13:48] Patricia Escriva: Um, they transfer about 100,000.

[00:13:52] Bob: Wow.

[00:13:54] Patricia Escriva: Yes. Yes.

[00:13:56] Bob: Whoever these criminals are, they've managed to raid all the couple's financial accounts. They even sold their stocks and moved the money into their checking account. A teller there gives them reassurance, but you can imagine it's cold comfort at the time.

[00:14:12] Patricia Escriva: Oh my God, are you kidding me? We were like, stop that! And they go, "Don't worry about it. There's nothing that they are going to be able to do. Everything is froze right this moment. And, and then we're going to have to open new, you know, a new account."

[00:14:27] Bob: So they leave the bank and head to their cellphone provider to try to figure out why the phones are no longer working and what has really happened.

[00:14:35] Patricia Escriva: What did she say... "Oh, your lines, you transferred your lines..." Then I had it, you know. I said, "No. And if you don't call somebody above you, I'm going to call the police, and this is going to be big." So she goes, "No, please. Don't make a scene."

[00:14:52] Bob: Well Patricia does make a scene and finally gets someone who understand what happened, a specific kind of attack called a SIM swap. Hackers convince someone at their company to change the phone number to a different service and a different handset. That rendered Patricia's phone and her husband's phone disconnected. Someone stole their phone numbers even while they had their phones in their hands. And every text message intended for them went to the criminals. So the criminals could change their passwords and move money across their financial life.

[00:15:24] Patricia Escriva: He goes, "Well, ma'am, we're very sorry but you know hackers are getting very good." I'm like, "Really?"

[00:15:32] Bob: When you added it all up, the stocks and everything, how much money did these guys try to steal from you?

[00:15:37] Patricia Escriva: About 125,000.

[00:15:40] Bob: That's just crazy, wow.

[00:15:43] Bob: We'll explain what SIM swaps are in more detail in a moment, but whatever has happened, getting a name for it doesn't solve Patricia's $125,000 problem.

[00:15:54] Patricia Escriva: He goes, "Well, you know, don't worry about it. We're going to fix it." "Okay, you're going to fix it." But you know how long did they take to find our phone numbers? Three days.

[00:16:07] Bob: Oh my God.

[00:16:08] Patricia Escriva: Three days to find our phone numbers.

[00:16:11] Bob: So that whole time you couldn't make any phone calls or anything, right?

[00:16:13] Patricia Escriva: Nope, nope. We were using my friend's phone.

[00:16:18] Bob: And in the meantime, their bank isn't being clear about what's happened to their money.

[00:16:23] Patricia Escriva: They were calling us, we're so, you know, we apologize, this and that, or your money's going to be back into the account. And I said, "Now what happened to our stocks?"

[00:16:34] Bob: What's happened to the stocks? The bank said it would straighten all that out but while they're waiting, well, things happened that aren't very confidence boosting.

[00:16:45] Patricia Escriva: So all credit cards are stopped. They were going to send us new ones, right? Then I see my phone, a new email. Oh, UberEATS, $850. I'm like, oh my God! So I came immediately to the house, I said to my husband, "Look at this!" So we called the bank, and we said, "Listen, we haven't even gotten the new credit cards, and I already, I already have a, an amount of $850 in UberEATS? What the hell is going on?" I mean mad. They go, "Oh, they used it for the virtual card." I'm like, "People, really." So they go, "Okay, we're going to, we're going to block that too." I'm like, "You should have done that from the beginning."

[00:17:28] Bob: $850 in UberEATS, were they getting a hamburger on the moon? What is this?

[00:17:32] Patricia Escriva: Exactly. I don't know, but I'm telling you, and it wasn't just $850, then um, what I realized about everything that was happening, it was 300, and then 400, and UberEATS also should be, everybody should be on the same channel, you know. I said, okay, wait a minute. $850 in UberEATS, for McDonalds? Really? Now, come on.

[00:17:56] Bob: Eventually, Patricia and her husband get access to their phones and they get their new credit cards, and they do get their money back. All of it.

[00:18:06] Patricia Escriva: They rebuy our stocks and give us, you know, a little bit of money that we gained, back in that period of time. So we already, by that time, would have a new account number, we have all our money into our account, but me and my husband we're, we're kind of like fighting to each other because if I was speaking close to whoever, he's like, "Be quiet!"

[00:18:32] Bob: We shouldn't understate the stress the situation caused.

[00:18:36] Patricia Escriva: Do you know, I'm like, okay, we're going nuts here. So I call my doctor, and I said, "I think we're going to need a psychologist here to get us out of this situation," because you know, you're constantly in, in fear like somebody's listening to you. Like somebody's getting into your account, that somebody's doing this, somebody's doing that.

[00:18:55] Bob: But not all these stories end with consumers getting all their money back.

[00:18:59] Patricia Escriva: "Two weeks ago, two sisters came into our branch, but they weren't as lucky as you were. They wait too long and their stocks was sold, the money was transferred into their accounts, and the money was cashed out."

[00:19:14] Bob: That's terrible.

[00:19:16] Patricia Escriva: Yes, it is, because then the bank is not responsible, they said, nobody's responsible. Just you lose your money and that's it; that's the end of the story. Which is horrible.

[00:19:27] Bob: There's a lot of blame to go around, Patricia thinks.

[00:19:30] Patricia Escriva: How come somebody's able to add a new device online to an account? That's, for me, that sounds insane. And second of all, seconds later they changed the passwords. Don't you think you should, you should, right, block our accounts and wait until the next day until we get to the bank?" They go, "Well, you know..." I said, "No, well you know nothing. That shouldn't be done, period. If somebody wanted to change their device into their account, they should come in person to any branch and bring two identifications, period. I mean everything is being done in online. I wonder why."

[00:20:15] Bob: Because Patricia feels so passionate about bringing attention to this crime, she went on TV to talk about it, and she's talking with us.

[00:20:23] Patricia Escriva: Don't tell me it's that easy to steal a phone number because if it's that easy to steal a phone number, everybody's at risk.

[00:20:32] Bob: So I can tell from the passion in your voice that you really want to talk about this. Tell me why.

[00:20:38] Patricia Escriva: Because, Bob, I don't want that to keep happening to people, you know. When I, when I put the in--, the interview in NextDoor, I got like 200 messages. They go, "You're lucky that you got your money. I didn't. It happened to me, I had AT&T. I have Xfinity, I have T-Mobile, I have a Metro." So it happened to every company, and who has to put their hands into fix this problem? I think the government. The government has to tell them, okay, listen. If this happens again, they're going to be able to own your company, in other words, because otherwise it's going to continue and continue and continue.

[00:21:16] Bob: So oh, what is it you want people to remember about your story after listening to this?

[00:21:20] Patricia Escriva: To be careful with their phone. Check your phone, and if you have no, no tags, no WhatsApp, no phone call, no emails, something is not right, because I always say, the phones, they have a heart, 'cause continually if you don't get a text, you get a WhatsApp or you get an email or you get something from somebody, any, you know, because that happened to me. When I realized I see my phone, I say, wow, that's weird that I don't have any text, no phone call, no WhatsApp. And then...

[00:21:50] Bob: I like how you put it that the phone has a heart. It's like there's a, you, you can tell there's something, there's a sign of life, there's something always happening, right?

[00:21:56] Patricia Escriva: Exactly. Always, always.

[00:22:00] Bob: So you want people to notice if there's, their phone has no sign of life. Is, is there anything else about, I mean does this make you think about how, you know, fragile your, your savings and your stocks and your money is in general?

[00:22:12] Patricia Escriva: Very, very. Also now we have, every time we go into our account, uh we have like they send us like a pin number, you know, like a code. And then you have to go through that code, but before that, it's kind of like they ask you a bunch of questions. They said, well you should do that, even though people will tell you, oh, that's a pain in the ass, I'm sorry about my French, it's a pain in the butt, I said, I'd rather to go through one, two, three, four, six steps in order for me to be safe than being sorry.

[00:22:45] Bob: Yeah, it, it, yeah, it's not, it's not the greatest thing that somebody can sell all your stocks and move all your money within a couple of hours, right?

[00:22:52] Patricia Escriva: Exactly. And like, let me tell you. And if I wait a little bit longer because these two sisters, that's what they did, they were waiting for the phone company to call them and the bank to call them. I said, no, you need to move immediately and get your case in top of whoever you need to talk to because look what happened to them? They sold the stocks, they transferred the money to their accounts, and they were able to cash it out. And then, like I said, your money's gone, it's gone. If you see something, say something. And if you feel something is not right, act immediately. Don't wait.

[00:23:31] Bob: Don't wait. Always good advice. Okay, so to really understand what a SIM swap is and what you can do to protect yourself, and I promise, we have very practical homework for you here; we have Rachel Tobac here today. She's been a Perfect Scam guest before. She is CEO of Social Proof Security which helps people and companies avoid getting hacked.

[00:23:53] Rachel Tobac: Oh her story makes me so sad because unfortunately, it's so common right now.

[00:23:59] Bob: How is SIM swapping common right now? Haven't we been dealing with this for years?

[00:24:04] Rachel Tobac: I know, isn't that crazy? Unfortunately, it's still been going on for many years. I think I heard of my first SIM swap about 10 years ago, and unfortunately, it's gotten more common over the years. You would think it would be harder and harder for attackers, but unfortunately, just the way that telcos verify identity hasn't changed enough to make it more difficult for them to take over accounts, and in turn, take over your entire digital life.

[00:24:30] Bob: The happy ending to Patricia's story is she was made whole, 'cause they were able to rebuy the stocks even and she didn't lose any money there. But have you heard of stories where people do end up losing significant amounts of money because of SIM swaps?

[00:24:42] Rachel Tobac: I have known people to lose millions of dollars. I've known people to lose their entire life savings. This could not be more serious.

[00:24:51] Bob: We've already mentioned the method criminals use to take over Patricia's account, SIM swap, but I wanted Rachel to explain in detail what a SIM swap is.

[00:25:00] Rachel Tobac: So a SIM swap is whenever a cybercriminal wants to gain access to your account, your phone number. And the way that they do this is they call up your telco, the carrier that helps you with your phone service, and they might say something like this: "Hey, this is Bob Sullivan. I dropped my phone in the toilet. I got a new phone. I need to make sure that I port over my SIM to this new device. Can you help me get that set up?" And the telco says, "Oh yeah, absolutely. We can help you with that. What's your mother's maiden name and what's your date of birth? And we need to verify your address," or some other pieces of information which are pretty easy for you to pretend you know the answers to. You can find them online, right? After they've confirmed you are "you" they then port that SIM to the new device, effectively giving the attacker, the cybercriminal, access to your phone number that gets your two-factor codes and your verification code from the bank, and any other pieces of information in your digital identity. So pretty much everything in your whole life.

[00:26:06] Bob: Sim stands for Subscriber Identity Module. Once upon a time users would swap out physical SIM cards when they changed phones. Today that swapping is usually done virtually via software and network updates. That's why this is called a SIM swap attack.

[00:26:23] Rachel Tobac: And I want to clarify that it's not the smartphone necessarily that's the problem, it's the phone number. And that's what's a really important distinction for folks is if you tie your entire digital identity to your phone number to verify that you're really you to your bank or any other accounts that are important to you, if somebody can take over your phone number, they don't even need to take over your smartphone. That's the problem is we don't necessarily always have control over our phone number if the telco can give somebody else access to it.

[00:26:56] Bob: Well this part I think is the most eye-popping part of the story which is, this happened in the evening and before she was able to even just stop the bleeding, let alone get control of her phone number back, criminals had actually sold her husband's stocks.

[00:27:10] Rachel Tobac: I know, I saw that.

[00:27:11] Bob: They liquidated stocks. And to me, how does a criminal call a telco company and the next thing, how are they able to sell someone's stocks?

[00:27:20] Rachel Tobac: They've got this whole process automated and ready to go. So they're looking for a target. They pretty much know what you have access to. They've done some research to figure out what they're going to attack in your digital life, and then the second they gain that access, they take control of everything in your digital life, oftentimes while you're sleeping. So that's why people will wake up and see they don't have any service, and they're like, what's going on? And then they see, once they finally connect to wi-fi, emails from their bank, from their stock services, their 401K, their mortgage, it's ridiculous, it's crazy.

[00:27:52] Bob: I think it's important what you said there a moment ago too about how they are just ready to go. In fact, maybe it's a team who's ready to go the second they really do grab hold of your identity. Boom, eight different scams are running at the same time. Is that about right?

[00:28:04] Rachel Tobac: Yeah, that is right. And when we first learned about SIM swapping, we knew this was a manual process. We could track the attacker going through each and every account and see them taking over one at a time. Now with AI, I'm pretty sure they're automating this process, So we have watched threat actors do this in real time and they're able to take over more than one account in a moment, so they're quite obviously using AI to automate this SIM swapping process now.

[00:28:28] Bob: Oh my God. So while you're like on hold with your carrier, they're already using AI to ramshackle all your accounts.

[00:28:36] Rachel Tobac: Yeah, that's right, and they're going through multiple at a time. It's very scary.

[00:28:41] Bob: There's one moment when she was talking to me that just made my head explode. So she knows there's a problem, she's figured out that something's gone wrong with her service, and she calls her bank to say stop sending money around, and the first thing the bank says is we can't help you until we send you a text to confirm that you're you.

[00:28:59] Rachel Tobac: Yeah.

[00:29:00] Bob: I can't think of anything more frustrating than a moment like that.

[00:29:02] Rachel Tobac: It's extremely mindboggling because your digital identity is like an onion. You peel back the layers, and you realize just how much they rely on the previous layer, and it makes it very frustrating to regain control of your digital identity if it's been stolen from you. It's very scary.

[00:29:18] Bob: And, and recovering from that just sounds like such a huge nightmare.

[00:29:22] Rachel Tobac: It is, and oftentimes people will say years later, they're still not recovered. They still haven't gotten access to all of their money, or they got some of their money, but they lost their cryptocurrency. Or they lost all of their cryptocurrency and they lost their stocks, but they regained access to their Instagram and their Facebook. It's just crazy how much that we have online that is valuable to us. People think, oh, you know, who's going to go after little old me? What do they want from me? Your life savings and your social media accounts to trick everyone around you that you love. And access to where you live so that they can further gain more information about you to take over more accounts. The list goes on and on. You don't have to be some huge bigshot for someone to want to gain access to your life savings.

[00:30:06] Bob: Okay, so how does someone know if they've been a victim of a SIM swap attack?

[00:30:12] Rachel Tobac: Every time I've ever talked to a victim of a SIM swap attack, the first thing that they said they noticed is, suddenly my phone stopped working, aka, they didn't have service. So one time a friend of mine was going through a SIM swap, and they said the first thing they noticed, they were out for a walk, and they had the little SOS on their phone. They're like, wait, what? What is, what's going on? So they tried to place a call to their spouse--didn't go through. Ran home, got on wi-fi, and then ended up seeing all the notifications from their bank and more.

[00:30:43] Bob: As with Patricia, the attacks often happen at night when a victim might not notice it right away.

[00:30:49] Bob: That gives them an 8, an 8-hour head start or whatnot, right?

[00:30:52] Rachel Tobac: Oftentimes, yes.

[00:30:53] Bob: So Patricia, she had to go next door and borrow a neighbor’s phone, and I think that's probably pretty typical.

[00:30:58] Rachel Tobac: Definitely. Most people don't have landlines anymore, or a spouse is out working or something. They don't have another phone to place calls.

[00:31:04] Bob: Okay, this is a bit of a digression, but I think it's an important one. Recently, a major carrier, we won't mention who, a major carrier had a big outage and a whole bunch of people woke up to their phones don't work.

[00:31:15] Rachel Tobac: Yeah.

[00:31:16] Bob: And the smart ones were thinking, oh my God, I'm a victim of a SIM swap attack.

[00:31:21] Rachel Tobac: Sure.

[00:31:21] Bob: That must have been a terrible experience, and how would you know the difference?

[00:31:24] Rachel Tobac: Yeah, that is really hard. You would probably call your carrier, and they would say we're in the middle of an outage, and then you would know okay, this is a problem for most people, not just for me. But until you got word from your carrier or saw your carrier on social media discussing it, yeah, I would definitely assume that you're a victim of a SIM swap.

[00:31:41] Bob: Okay, so this happens, you get an SOS on your phone, you get to wi-fi, you see something bad has happened. What should be your first step?

[00:31:49] Rachel Tobac: Yeah, the first step is I would probably call the telco and I would say, if somebody said that they were me, and they tried to port my phone number to a new device that wasn't me, and we need to immediately verify my identity so that you can port it back. As soon as you're doing that, if you have another person around you who has a phone, contact your bank and say, "Someone is pretending to be me. I'm dealing with fraud right now. We need to shut down all wire transfers, all changes of the bank account." Don't let somebody take over your bank account in that moment.

[00:32:19] Bob: I, I do think this urge to go home and get on wi-fi, that might not be natural for some people, but that's a really important part of handling this, right?

[00:32:27] Rachel Tobac: Yeah, definitely. If you see immediately that you don't have service and this isn't some like widespread outage, yeah, I would immediately try to get on wi-fi so that you can support yourself in eliminating some of this risk. Call your bank immediately. And people, oftentimes their phone is their lifeline. They don't have another phone. So if they're by themselves, they need access to a laptop or some other device to be able to place these calls and stop these attackers in action. And time is of the essence here. You have to react quickly, which is why it's so scary that a lot of these SIM swappers are unfortunately smart and will SIM swap in the middle of the night.

[00:33:00] Bob: It's one of those things, we used to have these lists by the phone of the fire department, the police department, numbers to call. Sometimes I wonder if we shouldn't have a list that included not just a large bank's phone number, but large bank's fraud department phone number. These other emergency call numbers or email addresses would be handy to have in a crisis like this, don't you think?

[00:33:18] Rachel Tobac: Yeah, they would. And oftentimes it's as easy as calling the number on the back of your card. So if you don't have, time is of the essence, right? So if you don't have a lot of time to search or you don't have great internet 'cause you're dealing with this, look at the number on the back of your card and immediately call it.

[00:33:32] Bob: Can you talk about what consumers' rights are in a situation like this? If my bank account gets hacked and or my debit card is stolen, someone steals money, I'm entitled to get it back. Well what happens when there's a SIM swap attack? Do you know?

[00:33:45] Rachel Tobac: Yeah, so the really scary thing is we're in the wild west right now with cybersecurity and the way that it impacts the digital and financial life. Right now they're trying to pass the buck back and forth about whose job it is and whose liability it is when these types of attacks go down. Oftentimes the bank will argue, well you're the one who authorized the transaction; of course it wasn't you, it was someone pretending to be you. And then the telco will argue, you're the one who ported your phone number to a new device. That wasn't us. You gave us the authorization And so just unraveling the fact that wasn't you, somebody was pretending to be you, it seemed like it was you, but it wasn't you, is the hardest part. And getting people and companies to take responsibility for falling for these pieces of social engineering, fraud, attackers who are trying to impersonate you to different organizations, that's sometimes the hardest part.

[00:34:38] Bob: And I definitely have heard of situations where the bank's first reaction is no, this isn't, you don't have dispute rights here. This is the telco's problem, or the telco tells us, it was your fault so we're not giving you your money back. I've heard of that happening, so that's, yeah, yeah.

[00:34:51] Rachel Tobac: Yes. It happens all the time and it's really scary because people think that they have total control over their digital lives when in reality, it's in the hands of the telco. That's why I don't recommend relying on a phone number for your digital identity.

[00:35:06] Bob: Okay, so what the heck am I supposed to do about this?

[00:35:08] Rachel Tobac: Yes. So what do we do about this? The good news is there are some action steps that you can take that are relatively easy to understand to greatly reduce your risk of a SIM swap attack. Number one: You can lock down your SIM with your provider. So you can contact your telco and say, hey, I want to lock my SIM so if someone tries to port it, including me, they can't do that until they verify identity correctly. And that is a really, I would say, variable way of attempting to protect yourself because sometimes the attacker can get on a phone call, say hey, I need to turn off my SIM protection and not every telco protects that action correctly. So you're gambling with whether or not that will protect you. Next, you want to make sure that your digital life is not tied to your phone number, so when your bank and your email and your stock broker and all the companies that you trust, say hey, let's get you set up with another method to verify it's you, multifactor authentication, that code that goes to your phone. We call that an OTP or a one-time password or a 2FA, two-factor authentication. If they want to send that to your phone number, that is a risky way to verify your identity. Why is that? Because if somebody takes over your phone number, they will receive those codes. So what do we do instead? I recommend instead of having those codes go to your phone number, have a multifactor authentication app on your phone that you can use to verify your identity, and it can't be stolen from you with a mistake by the telco. So examples of this would be something like DUO, or Google Authenticator, or Microsoft Authenticator. If somebody takes over your phone number and they try to take over all of your accounts with one-time passwords or two-factor codes redirected to the attacker, they're not going to get anything, or they're going to try to use it and it's not going to work because they're all tied to an app that they can't steal.

[00:37:08] Bob: So I have had, I have done that, and I had this experience of having my phone stolen, and the problem was I had no access to my authenticator app anymore, and it was absolute hell to pay to recover from that situation. Actually I think Google Authenticator specifically has made this better now. There's a backup where there didn't use to be. But the authenticator, like none of these things are perfect, right?

[00:37:29] Rachel Tobac: Nothing is perfect in this world. But Google Authenticator is pretty good because you can have a backup of it, and you can use a different device to backup if say somebody steals your phone out of your hand, that is what I recommend. Using a tool that has a cloud backup and protecting that with a long random and unique password and multi-factor authentication itself. And another thing to think about is, oftentimes organizations that you use online, they'll try to convince you to use your phone number to verify you're you, and oftentimes there are two choices. Use your phone number for an OTP or use your email. Go the email route. Don't do just the phone number text to verify that it's really you to log in for your bank. Tie that to an email address which is much harder to hack with multifactor authentication that isn't your phone number.

[00:38:14] Bob: I want to really stress this point. Multifactor authentication is very, very important, and I don't want this to sound in any way like I'm discouraging you from using it on all your accounts. Many of us do choose that simple, get a text message, SMS tool is our second factor when logging in, and this is certainly better than nothing, but this story really stresses the flaw in that system. If you don't have access to your phone, you'll have trouble logging in. And if someone else has access to your messages, it can really be a disaster. That's why Rachel suggests getting that code via email rather than text because you almost certainly have multiple ways to access your email, and even better, using one of those authenticator apps if you can.

[00:38:58] Bob: I want to go back to the SIM lock for a second. All, all carriers now offer SIM locks, right?

[00:39:02] Rachel Tobac: Most of them do.

[00:39:03] Bob: Most of them do. Okay, and that's a pretty, it's a pretty simple process. It reminds me a little bit of getting a security freeze on your credit report.

[00:39:09] Rachel Tobac: Yeah, I would say it works 80% of the time. 20% of the time the attacker is able to convince the telco to just turn off the SIM lock because of some issue.

[00:39:19] Bob: Hmm, sure. It's just, just another question they have to answer correctly, so...

[00:39:23] Rachel Tobac: Exactly, right? It just depends on; it depends on the carrier.

[00:39:26] Bob: So is it still worth doing 'cause it works 80% of the time?

[00:39:30] Rachel Tobac: I think, I think of it like the Swiss cheese model. If you can layer up a bunch of different pieces of Swiss cheese, you don't want the holes to line up, and if you line up a lot of pieces, the holes are unlikely to line up. So yeah, I would try to do as many methods to protect yourself as you possibly can and that's just one of them.

[00:39:48] Bob: So contact your carrier and inquire about a SIM lock. I was able to add it to my cellphone online in just a few moments.

[00:39:57] Bob: You, you don't have to attack any particular carrier to answer this question, but really what is going on if this problem is getting bigger and bigger? And obviously, the consequences are im--, immense. Why hasn't this been solved?

[00:40:08] Rachel Tobac: It's really hard. The telcos have this massive challenge where for people who aren't as digitally savvy, they call up their, their phone provider, and they need to get help really quickly. Your phone, because it's so important as a lifeline for you in order to call 911 and more, you have to be able to use your phone. So if something's not working, they have to be able to fix it really fast so that convenience becomes even more important because it's tied to your safety honestly, your ability to place a phone call. So being able to port over a number, get your phone up and running, everything working the way that you need to, they have these really strict SOAs, or the requirement to get something done immediately. And because of that, it means that sometimes they're going to sacrifice security to verify you incorrectly and give somebody else access to your phone number. I work with a lot of different telcos, that's actually a huge part of my customer base, to get prepared to avoid SIM swapping, and it's just an ongoing challenge that we continue working on constantly to try to make it way harder for attackers to do.

[00:41:12] Bob: I think we forget there was a time when it was very hard to port your phone number to a new carrier, for good reasons there was a fight to make that easier so that people could shop around. And so they've got two masters to serve here; they've got to make it easy to change your number, but then they've got to make it hard to change your number.

[00:41:26] Rachel Tobac: Yeah, it's a really hard thing to get that push and pull between convenience and security just right, and I don't think we've nailed it yet.

[00:41:35] Bob: We certainly haven't nailed it yet. We could all argue about whose fault that is, but for now, you really have to take charge of protecting your life and your digital identity. And today that means making sure that your life isn't tied exclusively to your smartphone. For The Perfect Scam, I'm Bob Sullivan.

(MUSIC SEGUE)

[00:42:02] Bob: If you have been targeted by a scam or fraud, you're not alone. Call the AARP Fraud Watch Network Helpline at 877-908-3360. Their trained fraud specialists can provide you with free support and guidance on what to do next. Our email address at The Perfect Scam is: theperfectscampodcast@aarp.org, and we want to hear from you. If you've been the victim of a scam or you know someone who has, and you'd like us to tell their story, write to us. That address again is: theperfectscampodcast@aarp.org. Thank you to our team of scambusters; Associate Producer, Annalea Embree; Researcher, Becky Dodson; Executive Producer, Julie Getz; and our Audio Engineer and Sound Designer, Julio Gonzalez. Be sure to find us on Apple Podcasts, Spotify, or wherever you listen to podcasts. For AARP's The Perfect Scam, I'm Bob Sullivan.

(MUSIC OUTRO)

END OF TRANSCRIPT